SquidClamav 6.15, Monday January 18 2016
This release fix a major bug of a buffer overflow in squidclamav_safebrowsing() and change the http response code in squidclamav redirection when a virus is found.
- Update copyrights - Fix buffer overflow in squidclamav_safebrowsing(). Thanks to Stuart Henderson for the patch. - Change http response code 301 (move permanently) to 307 (temporary redirect) in squidclamav redirection when a virus is found. Thanks to Alexander Koch for the report. - Fix null url, client ip and username in safebrowsing report. Thanks to Claus Regelmann for the patch.
SquidClamav 6.14, Sunday October 17 2015
This release fix a compilation issue with c-icap 0.4.x and exclude the HTTP method OPTIONS from being virus scanned.
- Fix compilation issue with C-icap 0.4.x replacement of hasalldata with flags. Thanks to Akash Shende for the patch. - Change configure and makefile templates to automatically adapt the code following the c-icap version. - Excluded OPTIONS http method from being scanned. Thanks to Yuri Voinov for the report. - Fix some ru_RU translation errors. Thanks to romale for the report.
SquidClamav 6.13, Monday June 01 2015
This release fix some minor issues and allow to use a file with a list of regular expression to be whitelisted.
- Fix some memory management issues. Thanks to mbechler for the patch. - Fix typo in documentation - Allow whitelist directive to receive a file as value import the whitelist from another file. This file must only contain a list of regex (one per line) to be whitelisted. Thanks to karlmendes for the feature request. - Fix generated 403 response which was not correct. Thanks to Manoj Ramakrishnan for the report and Christos Tsantilas for the fix.
SquidClamav 6.12, Sunday December 28 2014
This release fixes the default path to configuration file to be the same as c-icap configuration directory. Some issues revealed by Coverity Scanner have been fixed as well as some code cleanup.
- Update year in copyright. - Add more information about redirect directive to documentation and configuration file. - Update documentation to be more explicit about the --with-c-icap configure option. Thanks to Yuri Voinov for the suggestion. - Add configuration for squid 3.4.x to documentation. Thanks to Yuri Voinov for the patch. - Set debug level to 2 for message "Can not begin to scan url: No preview data". Thanks to Marco Gaiarin for the suggestion. - Fix creation of configuration direction at inistall time. - Fix default path to squidclamav.conf. It is now always installed and searched in c-icap configuration directory. /etc/squidclamav.conf is no more used as default. Thanks to Oliver Seeburger for the report. - The message about undefined squidguard directive has been changed. - Change cast on content_length printing. - Fix some issues returned by Coverity scanner.
SquidClamav 6.11, Monday Mars 10 2014
This release adds support to icap template allowing to display a templated response on block instead of redirecting to an external URL. Add new lines into HTTP and ICAP response header to set X-Infection-Found and X-Virus-ID when a virus is found. With the possiblity to scan data sent without preview this allow some commercial product like MoveIt DMZ to work with c-icap and squidclamav service. Lot of code clean up and bug fixes.
- Add X-Infection-Found and X-Virus-ID into icap response header. This allow some commercial product like MoveIt DMZ to work with c-icap/squidclamav service. - Fix compilation issue with c-icap 1.6.x versions. Old version of c-icap ( < 0.2.x ) does not support icap template, this is now detected at configure time. Thanks to Graham Har for the report. - Remove preview data enabling from mandatory option. - Allow use of non HTTP request used by ICAP client like c-icap-client or request from commercial product such as Move It DMZ. For example: c-icap-client -i 127.0.0.1 -p 1344 -f eicar.zip \ -s "squidclamav?allow204=on&force=on&sizelimit=off&mode=simple" -v Thanks to Henry ken for the feature request. - Update Copyright - Udapte auto generated configuration and make files and fix several compile time warning from squidclamav.c. Also fix an error message wrongly displayed at squidclamav.conf fd close time. - Add MALWARE_FOUND icap template that will be displayed by Squid when a malware is found instead of redirecting to the CGI (when redirect configuration directive is not defined). - Tested squidclamav with c-icap 0.3.2 - When there's no clamd running, die. bypass should be in the proxy setup instead of in squidclamav code. Thanks to Peter Molnar for the patch. - Clean up HTTP Response headers. Thanks to Peter Molnar for the patch. - Fix conflicting types for strnstr on freeBSD. Thanks to Mathias H for the report. - Fix an issue on FreeBSD with squidclamav.conf parser reporting fatal error into add_pattern. - Remove all of the built-in format tokens - these are included by c-icap, so no need to duplicate them here. Thanks to Nathan Hoad for the patch. - Fix documentation about using template instead or redirect URL. - Lots of code cleanup and debugs method, similar to what Squid uses. Thanks to Nathan Hoad for the patch. - Updated all documentation to mention new behaviour in the absence of the redirection option. Thanks to Nathan Hoad for the patch. - Displaying a templated response on block instead of redirecting. It supports all the format tokens that the LogFormat directive supports, plus %mn for displaying the virus name as identified by ClamAV. Thanks to Nathan Hoad for the patch. - Don't stub out __FUNCTION__ unless we're definitely on Solaris. Thanks to Nathan Hoad for the patch. - Provide a macro to make debug messages much nicer. This updates messages to display logs like so: squidclamav.c(252) squidclamav_close_service: DEBUG clean all memory! This makes debugging both nicer to read and write. Thanks to Nathan Hoad for the patch. - Remove xfree, as any respectable compiler (i.e. one that follows the C standard) won't crash if you call free(3) on NULL. Thanks to Nathan Hoad for the patch. - Normalise indentation and remove all trailing whitespace. No functional changes. Thanks to Nathan Hoad for the patch.
SquidClamav 6.10, Saturday October 27 2012
- Replace clamd STREAM by zINSTREAM protocol as clamav have removed the obsolete STREAM protocol in release 0.97.4. Thanks to Vasan and Raja Lakshmi for the report.
SquidClamav 5.11, Monday October 29 2012
This is a quick fix release to prevent squidclamav to fill the log file with debug message.
- Fix printing level of debug message when printing chunk sent to clamd. Thanks to Yuri Voinov for the report.
SquidClamav 5.10 & SquidClamav 6.10, Saturday October 27 2012
This new release replace clamd STREAM deprecated protocol by INSTREAM, previous version of squidclamav will not works with clamav upper that 0.97.3 release.
Version 6.10 - Replace clamd STREAM by zINSTREAM protocol as clamav have removed the obsolete STREAM protocol in release 0.97.4. Version 5.10 - Replace clamd STREAM by zINSTREAM protocol as clamav have removed the obsolete STREAM protocol in release 0.97.4. Thanks to Vasan and Raja Lakshmi for the patch. - Fix issue with sigaction sa_mask by using sigemptyset and sigaddset. - Replace signal() by sigaction calls. Thanks to John Xue for the report.
Please upgrade, test it and report any issue.
SquidClamav 6.9, Tuesday August 28 2012
This release fix a main issue in support to Clamav Google Safe Browsing.
- Add 'safebrowsing' configuration directive to enable/disable Safe Browsing detection. - Fix support to Clamav Google Safe Browsing that need a second query to clamd because the url need to be embeded in an email like content. Thanks to frOgz for the report. - Documentation updated for safebrowsing and proxy configuration variables. - All redirect CGI scripts have been rewritten with some CSS and to better handle virus vs malware. Thanks to frOgz for the patches. - Tested SquidClamav with Squid 3.2 successfuly.
SquidClamav devel on github, https://github.com/darold/squidclamav
The latest development code of SquidClamav is available from github.org.
SquidClamav 5.9, Saturday August 25 2012
This release fix a main issue in support to Clamav Google Safe Browsing.
- Add 'safebrowsing' configuration directive to enable/disable Safe Browsing detection. - Fix support to Clamav Google Safe Browsing that need a second query to clamd because the url need to be embeded in an email like content. Thanks to frOgz for the report. - Documentation updated for safebrowsing and proxy configuration variables.
Update installation page, Thuesday July 26 2012
There's now a new part in the Install page that list some material about SquidClamav, like howtos, packages and other. If you want a link here please drop me a line!
SquidClamav 6.8, Thuesday July 26 2012
This is a quick release that fixes compatibility issues with new c-icap 0.2.x, many people ask for this support.
- Compatibility fix with new c-icap 0.2.1 release that prevent squidclamav service to be initialized. Thanks to Martin Matuska for the patch. - Fix issue with new c-icap 0.2.1 release that generate an error error each time squidclamav return CI_MOD_204 in end of data handler function. Thanks to Martin Matuska or the patch.
SquidClamav 6.7, Tuesday July 24 2012
This release prevent squidclamav to segfault with escaped special characters passed into URL that are sent to squidguard by the obsolete squidguard configuration directive.
- Add a workaround for a squidGuard bug that unescape the URL and send it back unescaped. This result in garbage staying into pipe of the system command call and could crash squidclamav on next read or return false information. This is specially true with URL containing the %0D or %0A character. Thanks to John Xue for the report. - Update documentation about the recommanded way to call squidGuard through the use of url_rewrite_program in squid.conf. You may not use the squidguard configuration directive into squidclamav.conf.
SquidClamav 5.8, Tuesday July 24 2012
This release fix several security issues by escaping CGI parameters and preventing squidclamav to segfault with escaped special characters in URL.
- Add a workaround for a squidGuard bug that unescape the URL and send it back unescaped. This result in garbage staying into pipe of the system command call and could crash squidclamav on next read or return false information. This is specially true with URL containing the %0D or %0A character. Thanks to John Xue for the report. - Backport cgi scripts from 6.x branch to 5.x to apply a security fix.
SquidClamav 6.6, Monday May 28 2012
This release fixes a bug with the trustclient directive when dnslookup was disabled and a complete rewrite of the maxsize related code.
- Rewrite entirely the squidclamav behavior with the maxsize directive. The previous fix was only a workaround. - Fix a bug on 'trustclient' check part that was never executed if 'dnslookup' was disabled. Thanks to Kandalf for the report.
SquidClamav 6.5, Sunday January 15 2012
This is a maintenance release that fixes some pending bugs and adds more support to Safe Browsing ClamAv detection.
- Fix a squidclamav crash when maxsize is removed from configuration file or disabled/set to 0. Thanks to Pascal Bendeich for the report. - Fix an issue when downloaded file size is upper than clamd.conf limit set into the StreamMaxLength configuration directive. Thanks to Arnvid Karstad for the report. - All cgi Perl script have been modified to report unsafe browsing. - Add a note about ClamAV and the support for Google Safe Browsing database. As clamd will returned something like: Safebrowsing.
FOUND this will be redirected by squidclamav just like if a virus was found. Thanks to Michael Grasso for the request.
SquidClamav 6.4, Friday August 19 2011
This release fixes a second double free memory corruption and a mishandled pattern memory reallocation on "squidclamav:cfgreload" command call or c-icap threads restart.
- Change default value for clamd_local configuration directive to the common package default clamd local socket '/var/run/clamav/clamd.ctl'. - The origin of the double free corruption was partially found in last release. It is now completely fixed. Thanks to Tim Weippert for the report. - The call to squidGuard from SquidClamav by a bidirectional pipe seem to make squid/c-icap system going slower and slower. The reason comes from more and more pending squidGuard processes after c-icap threads restart. The historical reason of this feature is related to Squid version 2.x that doesn't allow to chained url_rewrite_program. I think this is no more useful so the squidguard configuration directive will be removed in next major release. Thank to Marco Schuth and David Tannheimeri for the report. You'd better use the Squid configuration file (squid.conf) and the 'url_rewrite_program' directive to use squidGuard. There's no plan to reintroduce the call to squidGuard from SquidClamav at least until squidGuard has a daemon mode or you really asked for it. - Fix an issue on reallocating mishandled null pattern array.
SquidClamav 6.3, Sunday June 26 2011
This is a bugfixes release.
- Remove obsolete code on log_file configuration directive. - Fix double free corruption when sending a configuration reload command: echo -n "squidclamav:cfgreload" >> /var/run/c-icap/c-icap.ctl Thanks to David Tannheimer for the report. This bug appears only when using local Unix socket to connect clamd. - Compatibility check with c-icap-0.1.6: ok
SquidClamav 6.1 is in debian unstable, Tuesday March 15 2011
Thanks to Tim Weippert, squidclamav v6.1 is now in debian unstable and should enter testing (wheezy) this week.
Tim is also preparing an up-to-date package for 6.2 that will be uploaded in the next days.
SquidClamav 6.2, Sunday Febuary 27 2011
This release fixes a crash when X-Client-IP is not forwarded by Squid and fix null username and client ip. There's also a new configuration option to toogle dns lookup to improve speed and remove possible DNS timeout.
If you've experienced signal 11 exit, please ugrade asap.
- Fix squidclamav crash when X-Client-IP is not forwarded by default from squid to icap, i-e: when 'icap_send_client_ip on' is not set into squid.conf. Thanks to Diego Elio Pettenò for the patch. - Force client Ip and Username to '-' when they are not set or null. Thanks to Alex for the report. - Fix a signal 11 when username was not set. - Add new configuration option 'dnslookup' to disable DNS lookup of client ip address. Default is enabled for backward compatibility but you must desactivate this feature if you don't use trustclient with hostname in the regexp or don't have a DNS on your network. Disabling it will also speed up squidclamav.
SquidClamav 5.7, Sunday December 11 2010
This release fixes minor bugs in the 5.x branch but can be helpful if you are blacklisted by some sites du to excessive call of head request.
- Remove call to a HEAD request when there's no abortcontent configuration directive. This is helpful if your ip address is blacklisted by some site because they are receiving too much HEAD from you. Thanks to cOre for the report. - Fix hard coding of /etc/squidclamav.conf. Now it is relative to the prefix given as configure parameter (--prefix). Default is now to store configuration file in /usr/local/etc/squidclamav.conf. Thanks to cOre for the report.
SquidClamav 6.1, Friday October 29 2010
This release fix two major bugs, one prevent SquidClamav to compile on BSD* system and the other generate a sigfault when SquidClamav can't resolve the name of the remote host. Please upgrade asap.
- Add missing "#include <signal.h>", compilation on BSD and possibly other distribution was not working. Thanks to Alex for the report. - Fix segmentation fault by gethostbyaddr when remote client can't be resolved. Thank to Valery for the report.
SquidClamav 6.0, Friday October 22 2010
This is the initial release of the v6.x branch. It works exactly as v5.x branch except that it now use the ICAP protocol and must be run as a c-icap server service. The goal of this first release is to port SquidClamav to the ICAP protocol to solve all limitations encountered in the previous releases (audio/video streaming, site with session like webmail, support of POST request, etc).
Next release will tend to have real on stream scanning and bypass the size limitation. Coming soon, but I first want to be sure that c-icap is the good choose for stability and performance but also that this new branch is stable and speed enough. I hope you make me feedback.
As SquidClamav is now an ICAP service, you must use Squid v3.x branch and install the excellent c-icap server of Tsantilas Christos available at http://c-icap.sourceforge.net/. Please download version c-icap-0.1.x, you don't need the c-icap-modules part.
The squidclamav.conf configuration file from v5.x is fully compatible but some directives are now obsolete, here is the list:
squid_ip squid_port maxredir useragent trust_cache stat debug clamd_timeout
One have change, this is the 'timeout' directive that was used to set the timeout for libcurl download. As cURL is no more used, this timeout directive is now used to set the timeout for clamd connect. His default value is 1 second and can be set up to 10.
Others works as before. There's no packaging available yet.
YOU MUST tune the c-icap server following your need (number of users), see http://squidclamav.darold.net/tuning.html for the configuration directive that could help.
SquidClamav 5.6, Tuesday October 20 2010
This quick release fix compilation errors on CentOs and possibly other distribution and some compilation warnings
- Fix compile error with CLAMD_TIMEOUT on CentOs and possibly more distribution. Thank to Andrea Schoenberg for the report. - Fix compile warning on curl_easy_setopt with CURL_TIMEOUT. - Fix compile warning on execlp call.
SquidClamav 5.5, Monday October 19 2010
Release v5.5 is out!
This is the final release of the 5.x branch it fix some portability problem and curl timeout on slow sites. Here are the changes:
- Remove use of longjmp, it is not portable enough, by a simple call to of alarm and sigaction. - The clamd_timeout configuration has been removed. If you want to change the default timeout of one second please edit squidclamav.h and change the CLAMD_TIMEOUT second definition. - Add CURL_TIMEOUT constant in squidclamav.h for more easy change of the timeout given to cURL to download a HTTP header. The defaut is now 2 seconds. This fix the debug error message: bad header (28: Operation timed out after 1000 milliseconds with 0 bytes received) - Fix several compilation warning.
This is the final release of the 5.x branch, there will be only bug fix release now. The official development branch is now 6.x and the first release will be available this week.
SquidClamav 6.0 Beta, Wednesday September 29 2010
Good news, the SquidClamav version based on the ICAP protocol is now in beta testing under heavy load (2500 users) and seems to works well and faster!
It still need some work on documentation and packaging and may be out around the 10 October.
SquidClamav 5.4, Friday August 06 2010
Release v5.4 is out, here are the change:
- Fix bad handling of no running proxy and clamd daemon. - Add support for scanning SSL encrypted traffic with the new Squid feature sslBump. Thank to Jean DERAM for the patch. - Remove obsolete escaping chars on chained system program call. - Add setsid on chained program call, this may solve zombie problem on BSD system. Not fully tested.
SquidClamav 5.3, Tuesday Mars 23 2010
Release v5.3 fix the following issues:
- Fix random squidguard redirection on wrong user by setting chained program pipe line buffered. Thanks to Russ Wheatcroft for the report. - SquidClamav now logs chained program redirection with the original user and ip address. Only if logredir configuration option is enabled. ERRATA: This patch was announced but not applied on v5.2. - Add workaround for Squid < 3.0 which made maxsize control fail on location redirection so that content-length checked was always from the redirection page. Thanks to Andre Struempfel for the report.
SquidClamav 5.2, Monday Mars 08 2010
Release v5.2 is out, see change bellow:
- Fix configure and install on FreeBSD. - Fix chained program zombies on BSD system. - Add russian translation of clwarn.cgi. Thanks to Philipp (Zoonman) for the contribution. - Fix error on debug printing of maxsize (using int instead of double).
SquidClamav 5.1, Sunday Febuary 21 2010
New release v5.1 is out, this is a bug fix release and openBSD port.
- Fix overriding of old SquidClamav configuration file during install. - Fix process name return for squidguard fork that always be squidGuard even if you're using an other redirector. - Fix configure and install on OpenBSD. - Change link to squidclamav site in CGIs.
SquidClamav 5.0, Monday Febuary 15 2010
SquidClamav v5.0 is finaly out, this version is not backward compatible with the 4.x configuration file. Here are the major changes:
- Now SquidClamav will scan all downloaded files by default so that you just have to configure what you don't want to scan. The default configuration file comes with predefined exclusion to help. - SquidClamav now use extended regex, you can have multiple pattern in a single line. For example to exclude images from scan you can use the following lines: abort ^.*\.(png|gif|jpg|ico)$ abortcontent ^image\/.*$ - SquidClamav is now able to perform failover on clamd connection. You can defined up to 5 clamd ip addresses separated by a coma for the 'clamd_ip' configuration directive. Thanks to Tuomas Haarala for the feature request. - The "whitelist" configuration directive now also abort the call to the chained program (squidguard or other) as well as aborting virus scan. This is the difference with the 'abort' directive that only disable virus scanning. - There's also two new configuration directive: 'trustuser' => allow to abort chained program and virus scan for a given ident username. 'trustclient' => allow to abort chained program and virus scan for a given client source ip address or dns name. - The 'force' configuration directive have been removed as all is scan by default. - Source tree has been clarified and normalyzed. squidclamav.c has been renamed in pattern.c and main.c in squidclamav.c - Add a bootstrap.sh file to create configure and makefile from scratch for developers. - Documentation has been reviewed and add a man file squidclamav.1 - Add packaging support for RPM, SlackBuild and Debian package. See packaging/ directory. - Remove code for call to chained program in command line if bidirectional pipe failed. - Fix install on OpenSolaris complaining about missing -lnsl and -lsocket library at compile time.
SquidClamav Web site, Sunday Febuary 07 2010
SquidClamav Web site has been released today, I hope you will love it.
SquidClamav 4.3, Wednesday January 27 2010
SquidClamav v4.3 is out, this is the latest version of the 4.x branch. New release v5.0 coming soon.